From 251ba120b5e3277a0e53e9ea2417f6b370cf7d05 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Sun, 23 Dec 2018 00:18:13 -0600
Subject: Fixed CVE division-by-zero issues Description:     Fixed HDFFV-10577
 and similar issues found in H5Dchunk.c.  All     the occurrences are in:     
    H5D__create_chunk_map_single         H5D__create_chunk_file_map_hyper     
    H5D__chunk_allocate         H5D__chunk_update_old_edge_chunks        
 H5D__chunk_prune_by_extent         H5D__chunk_copy_cb        
 H5D__chunk_collective_fill Platforms tested:     Linux/64 (jelly)    
 Linux/64 (platypus)     Darwin (osx1010test)

---
 src/H5Dchunk.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c
index 91f3b91..c1ade91 100644
--- a/src/H5Dchunk.c
+++ b/src/H5Dchunk.c
@@ -1493,6 +1493,9 @@ H5D__create_chunk_map_single(H5D_chunk_map_t *fm, const H5D_io_info_t
 
     /* Set chunk location & hyperslab size */
     for(u = 0; u < fm->f_ndims; u++) {
+        /* Validate this chunk dimension */
+        if(fm->layout->u.chunk.dim[u] == 0)
+            HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u)
         HDassert(sel_start[u] == sel_end[u]);
         chunk_info->scaled[u] = sel_start[u] / fm->layout->u.chunk.dim[u];
         coords[u] = chunk_info->scaled[u] * fm->layout->u.chunk.dim[u];
@@ -1580,6 +1583,9 @@ H5D__create_chunk_file_map_hyper(H5D_chunk_map_t *fm, const H5D_io_info_t
 
     /* Set initial chunk location & hyperslab size */
     for(u = 0; u < fm->f_ndims; u++) {
+        /* Validate this chunk dimension */
+        if(fm->layout->u.chunk.dim[u] == 0)
+            HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u)
         scaled[u] = start_scaled[u] = sel_start[u] / fm->layout->u.chunk.dim[u];
         coords[u] = start_coords[u] = scaled[u] * fm->layout->u.chunk.dim[u];
         end[u] = (coords[u] + fm->chunk_dim[u]) - 1;
@@ -4043,6 +4049,9 @@ H5D__chunk_allocate(const H5D_io_info_t *io_info, hbool_t full_overwrite, hsize_
      * assume here that all elements of space_dim are > 0.  This is checked at
      * the top of this function. */
     for(op_dim=0; op_dim<space_ndims; op_dim++) {
+        /* Validate this chunk dimension */
+        if(chunk_dim[op_dim] == 0)
+            HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim)
         min_unalloc[op_dim] = (old_dim[op_dim] + chunk_dim[op_dim] - 1) / chunk_dim[op_dim];
         max_unalloc[op_dim] = (space_dim[op_dim] - 1) / chunk_dim[op_dim];
 
@@ -4484,13 +4493,17 @@ H5D__chunk_update_old_edge_chunks(H5D_t *dset, hsize_t old_dim[])
         /* Start off with this dimension marked as not needing to be modified */
         new_full_dim[op_dim] = FALSE;
 
+        /* Validate this chunk dimension */
+        if(chunk_dim[op_dim] == 0)
+            HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim)
+
         /* Calculate offset of first previously incomplete chunk in this
          * dimension */
-	old_edge_chunk_sc[op_dim] = (old_dim[op_dim] / chunk_dim[op_dim]);
+	    old_edge_chunk_sc[op_dim] = (old_dim[op_dim] / chunk_dim[op_dim]);
 
         /* Calculate the largest offset of chunks that might need to be
          * modified in this dimension */
-	max_edge_chunk_sc[op_dim] = MIN((old_dim[op_dim] - 1) / chunk_dim[op_dim],
+	    max_edge_chunk_sc[op_dim] = MIN((old_dim[op_dim] - 1) / chunk_dim[op_dim],
 					  MAX((space_dim[op_dim] / chunk_dim[op_dim]), 1) - 1);
 
         /* Check for old_dim aligned with chunk boundary in this dimension, if
@@ -4626,6 +4639,9 @@ H5D__chunk_collective_fill(const H5D_t *dset, H5D_chunk_coll_info_t *chunk_info,
         HGOTO_ERROR(H5E_INTERNAL, H5E_MPI, FAIL, "Can't retrieve MPI size")
 
     /* Distribute evenly the number of blocks between processes. */
+    if(mpi_size == 0)
+        HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "Resulted in division by zero")
+/* BMR: I don't know whether mpi_size = 0 is a valid value, please advise */
     num_blocks = chunk_info->num_io / mpi_size; /* value should be the same on all procs */
 
     /* after evenly distributing the blocks between processes, are
@@ -5066,6 +5082,10 @@ H5D__chunk_prune_by_extent(H5D_t *dset, const hsize_t *old_dim)
     HDmemset(min_mod_chunk_sc, 0, sizeof(min_mod_chunk_sc));
     HDmemset(max_mod_chunk_sc, 0, sizeof(max_mod_chunk_sc));
     for(op_dim = 0; op_dim < (unsigned)space_ndims; op_dim++) {
+        /* Validate this chunk dimension */
+        if(chunk_dim[op_dim] == 0)
+            HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim)
+
         /* Calculate the largest offset of chunks that might need to be
          * modified in this dimension */
         max_mod_chunk_sc[op_dim] = (old_dim[op_dim] - 1) / chunk_dim[op_dim];
@@ -5721,9 +5741,12 @@ H5D__chunk_copy_cb(const H5D_chunk_rec_t *chunk_rec, void *_udata)
         /* (background buffer has already been zeroed out, if not expanding) */
         if(udata->cpy_info->expand_ref) {
             size_t ref_count;
+            size_t dt_size;
 
             /* Determine # of reference elements to copy */
-            ref_count = nbytes / H5T_get_size(udata->dt_src);
+            if((dt_size = H5T_get_size(udata->dt_src)) == 0)
+                HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "size must not be 0")
+            ref_count = nbytes / dt_size;
 
             /* Copy the reference elements */
             if(H5O_copy_expand_ref(udata->file_src, buf, udata->idx_info_dst->f, bkg, ref_count, H5T_get_ref_type(udata->dt_src), udata->cpy_info) < 0)
-- 
cgit v0.12


From 9c6744778e31307b458750e375d331c99b05fa1c Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Sun, 23 Dec 2018 00:51:17 -0600
Subject: Fixed documentation - typo only

---
 c++/src/H5CppDoc.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/c++/src/H5CppDoc.h b/c++/src/H5CppDoc.h
index 0da98a4..5e80408 100644
--- a/c++/src/H5CppDoc.h
+++ b/c++/src/H5CppDoc.h
@@ -53,8 +53,7 @@
  * <br />
  * \section install_sec Installation
  *
- * The HDF5 C++ API is included with the HDF5 source code and can 
- * be obtained from 
+ * The HDF5 C++ API is included with the HDF5 source code.
  * 
  * Please refer to the release_docs/INSTALL file under the top directory 
  * of the HDF5 source code for information about installing, building, 
-- 
cgit v0.12


From 40c55f24ecbdd322fba527d768689fbdbd268374 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Thu, 3 Jan 2019 09:47:01 -0600
Subject: Removed a comment.

---
 src/H5Dchunk.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c
index c1ade91..b5a5c39 100644
--- a/src/H5Dchunk.c
+++ b/src/H5Dchunk.c
@@ -4641,7 +4641,6 @@ H5D__chunk_collective_fill(const H5D_t *dset, H5D_chunk_coll_info_t *chunk_info,
     /* Distribute evenly the number of blocks between processes. */
     if(mpi_size == 0)
         HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "Resulted in division by zero")
-/* BMR: I don't know whether mpi_size = 0 is a valid value, please advise */
     num_blocks = chunk_info->num_io / mpi_size; /* value should be the same on all procs */
 
     /* after evenly distributing the blocks between processes, are
-- 
cgit v0.12